GDB Helpsheet

security

Run the program:

gdb (output file name)

Debugging

Then we will enter gdb:

(gdb) break main          # Add breakpoint at main
(gdb) run
(gdb) disas main          # Disassemble code
(gdb) break *0x080483c1   # set breakpoint at specified address 
(gdb) cont
(gdb) disas
(gdb) ni	  # execute the next instruction then gdb gets control again

Play with registers

(gdb) print $eax          # print out the values of individual registers
(gdb) info registers      # view all register values
(gdb) display $eax        # use the display command to automatically display values each time a breakpoint is reached
(gdb) display $edx

Quick Summary

  ddd a.out
  (gdb) break main
  (gdb) run  6              # run with the command line argument 6
  (gdb) disass main         # disassemble the main function
  (gdb) break sum           # set a break point at the beginning of a function
  (gdb) cont                # continue execution of the program
  (gdb) break *0x0804851a   # set a break point at memory address 0x0804851a
  (gdb) ni                  # execute the next instruction
  (gdb) si                  # step into a function call (step instruction)
  (gdb) info registers      # list the register contents
  (gdb) p $eax              # print the value stored in register %eax
  (gdb) p  *(int *)($ebp+8) # print out value of an int at addr (%ebp+8)
  (gdb) x/wd $ebp+8         # examine the contents of memory at the given address
                            # as an int (w: word-size value d: in decimal) 
                            # display type in x is sticky: subsequent x commands
                            # will display values in decimal until another type is
                            # specified (ex. x/a $lsebp+8  # as an address in hex)
  (gdb) x/s 0x0800004       # examine contents of memory at address as a string
  (gdb) x/wd 0xff5634       # after x/s, the unit size is 1 byte, so if want
                            # to examine as an int specify both the width w and d

Compile Program

$ gcc example.c -o example -fno-stack-protector -z execstack -no-pie
$ gdb ./example
(gdb) disas main
(gdb) b *main+65
(gdb) b *main+105
(gdb) r $(python -c 'print "A"*272')
(gdb) i r  # info registers

Disable Protections

ASLR

To disable:

$ sudo echo 0 > /proc/sys/kernel/randomize_va_space

canaries

$ gcc overflow.c -o overflow -fno-stack-protector

DEP

$ gcc overflow.c -o overflow -z execstack

PIE

$ gcc overflow.c -o overflow -no-pie

GDB plugin

gdb-peda$ checksec
  • gef
  • pwndbg

Materials

  • Assembly
  • Heap and Stack Structure
  • elf file structure, glibc
  • memory protection technique
  • python, shellcode
  • dynamic debugging, linux kernel

Pwn tools

  • GDB
  • IDA Pro
  • pwntools
  • one_gadget
  • libc search
  • ROPgadget

Reference